9 Principles for Records Management Best Practices

Thursday, January 24, 2019 - 13:59

By Raelene Bennett

Records management is rarely smooth sailing – it can often feel like you’re a tiny vessel in the middle of a sea of legislation. Just when you think you’re paddling in the right direction, a wave of legislation sends you reeling.

Yet records management compliance needn’t be this difficult. Enterprises make it harder for themselves by treating records management as an afterthought, instead of an intrinsic part of their everyday operations. In this article we’ll discuss the nine rules for records management best practices for implementation in your organisation.

Firstly, non-Compliance is NOT an option!

In a climate of tightening regulations, enterprises run an increasingly high risk of non-compliance. And, unfortunately, non-compliance can have some pretty serious consequences for businesses. Aside from the inevitable PR black eye and the potential risk of losing clients’ trust, your organisation could find itself faced with serious punitive measures.

In recent years we’ve seen some high profile examples of businesses being held accountable for failing to adopt records management best practices. Just last year, a Caltex franchisee was brought before Australia’s fair Work Ombudsman for failing to adhere to record-keeping laws, and the Sydney-based store was fined $A100,000. The franchisee, Aulion Pty Ltd, and its director were both fined after investigations revealed that information from the company’s accountant, bank and superannuation fund did not match figures provided to the ombudsman.

This might seem like an austere sanction but it’s worth remembering that the maximum fine for each breach currently stands at $A1260 for an individual or $A6300 for a corporation. After months or even years of shoddy record-keeping, those four figure sanctions can add up to a crippling fine.

Making records management best practices the guiding light of your operations will help mitigate the risk of non-compliance. Here are nine principles that will help you to stay compliant without compromising operational efficiency.

1) Prioritise Security and Privacy

One of the first priorities for any business intent on getting its house in order regarding record-keeping, is to ensure strict data security and privacy measures are in place. If security is lax, your data could be vulnerable to a breach. A data leak could have huge monetary repercussions whilst also creating a host of PR problems. It is incumbent upon businesses to safeguard their records and treat client data and information with the security that it deserves.

Without the right security measures in place, cybercriminals can not only access your records but also install malware into your systems which could capture your clientele’s vital data. Responding to security alerts should be considered an integral part of records management best practices. Just recently, the Marriott hotel chain was subject to a data breach that resulted in details of 500 million guests being stolen, which could cost the company $US200 million.

Your electronic document and records management system (eDRMS) should have strong inbuilt security features to keep information secure, with encryption of data in transit through a strong SSL connection.

Accessibility is another key component of security and privacy, which can be broken down into two parts; appropriate user access levels within an organisation and discoverability/usability of information to support business activities. Organisations must ensure that sensitive, private or classified information can only be accessed by specific individuals with appropriate permissions.

Processes and safeguards should also be in place to prevent any unauthorised destruction or deletion of registered physical and digital records as well as their associated metadata. Using an electronic document and records management system (eDRMS) will assist in recording, tracking and monitoring records.

2) Record, Track and Monitor Documents

Document mismanagement and lack of an effective eDRMS are key contributors to poor record-keeping and can easily impede an organisation’s compliance to legislative requirements. When documents go missing or are unaccounted for, it could result in an agency’s inability to fulfil a Freedom of Information (FOI) request or lead to punitive measures under Australian record-keeping acts and standards.

A comprehensive eDRMS is a fundamental part of an organisation’s ability to record, track and monitor organisations’ intellectual property.

Automatic capture of records, and application of classification and metadata in the background. The ability to locate the correct content when it’s required is often dependent on metadata, so capturing quality metadata is important.

The ability to manage content across repositories. Often organisations will find information saved in network drives, on computer hard drives, within applications and in cloud repositories such as SharePoint or OneDrive.

The ability to manage physical, digital and hybrid records, including the likes of email conversations and social media records.

The provision of a defensible audit trail. When a record is deleted, your eDRMS should preserve the metadata of the deleted record so that information on historical actions taken on the record and by which users, can be traced. This is essential when it comes to identifying whether business and legal guidelines have been adhered to and tracing any unauthorised activity.

Organisational content should be handled in accordance with your organisation’s records management strategy. This will ensure that an appropriate system is in place to record, track and monitor content, and mitigate the risk of content becoming lost, and do so in a way that isn’t at the expense of end-user’s work processes.

3) Create and implement a records management strategy

A clear and actionable records management strategy should be at the heart of your organisation’s records and information architecture, processes and procedures. It should be based on thorough research of appropriate policies and standards and audited regularly.

Organisations need to create and thoroughly document their records and information management processes and procedures, and ensure all staff have access to this documentation. Organisations should clearly identify the accountability of those who handle records and understand how this strategy will fit within the organisation’s strategic business plan.

To ensure your records management strategy is compliant with current legislation, regular reviews are imperative.

4) Annually review / audit

Compliance is never a ‘one and done’ activity, especially when it comes to records and information management. Your records management policy should include an annual review and assessment of internal and external compliance in relation to appropriate acts and standards. The standards by which you measure record management efficacy should be based on national, state and international standards.

A thorough audit should take an impartial look at your record-keeping policies and processes. Does the execution match the language of the policy and the legislation that informs it? Where do they fall short? Where could they be improved? Could they be made more time efficient while still adhering to legislative requirements? Do they get derailed? If so, how can you mitigate the causes of this?

5) Destroy records at the end of their lifecycle

Just as digital records can become vulnerable to data breaches, so too can your physical documents. Whilst statutory regulations dictate that some records need to be kept indefinitely, most records should be destroyed after a prescribed period of time.

Navigating the complexity of record disposal and retention requirements is a difficult task for most businesses. This is why it’s important for organisations to do their due diligence in determining these requirements or contract the services of a records and information management specialist to do this on their behalf. This will help ensure that organisational policies are accurate and compliant.

The National Archives of Australia website provides some general guidelines for the compliant destruction of information. It elucidates that compliant destruction of information should be;

Authorised by the archives via an active records authority

The destruction needs to be irreversible

Destroyed with the same level of security that was maintained during the records life-span

Information should be destroyed in a timely manner and not kept longer than necessary

The best way to think about information architecture is that it’s a blueprint for your information ‘warehouse’ and is a crucial part of your governance strategy. Good infrastructure will ensure your organisational content is secure, findable/searchable and is disposed of at the end of its lifecycle. When designing your information architecture, carefully consider the following;

Business Classification Scheme (BCS) or Taxonomy - One of the easiest ways for organisations to manage information is by grouping related content together and then labelling and allocating each of these groups into a master arrangement. This is known as a Business Classification Scheme (BCS) and is a form of taxonomy that makes it easier for organisations to search for and locate content. For example, with a BCS you can more easily provide permissions so that specific users have access to certain information based on the grouping defined in the classification.

Retention and Disposal Schedules (RDS) or information lifecycle design - A retention and disposal schedule is necessary in assuring that organisations are meeting their legal and compliant obligations with state and federal laws. By having a process that determines how long records should be retained before destruction as well as methods for identifying records due for destruction, organisations can not only reduce their exposure to compliance risks, but also significantly reduce the time and resources spent retrieving documents.

Metadata Schemes - Most organisations think that organising their folders in a network drive is adequate enough. However, truly efficient information management requires your internal documents to include metadata. Including metadata removes the time spent manually working out which folder to place a file in as a document management system can read a document's metadata and classify it accordingly. This in turn, makes document searching easier as you will not have to manually click through a myriad of different folders to locate the file you want.

Good information architecture will enable records to be captured and classified without impacting where and how your team works.

7) Capture records without disrupting the way end users work

If your records management system requires the involvement of end users (i.e. your employees), this will almost guarantee engagement issues which can stymie workflow, productivity and your record-keeping efforts. A modern, effective records management system will do its work in the background, appearing invisible to end-users and will possess the ability to manage records in-place across a variety of platforms (i.e. email, social media, cloud storage, network drives, computer desktops etc.), enabling your team to work how and where they work.

An effective records management system will also automatically capture metadata, which means end users won’t have to manually input all metadata into a pop-up form when uploading and adding documents.

8) Digitise physical records

While digitisation of physical records can be seen as a time consuming and costly endeavour, the end result will far outweigh the interim costs and effort. Organisations will benefit from improved operational efficiency and ease of access to information (the ability to find a digital record is much quicker and easier than locating a file in a room full of boxes), significant savings in physical storage costs, reduced risk of losing records should there be a fire, flood or other disaster, and better integration with current business information systems.

As part of their digitisation policy, organisations should consider:

What records management system you’ll use to capture the digitised records, what access will be provided to these records, and what respective metadata should be captured

The state of physical composition of the records which will affect the security, physical handling and digitisation equipment required, especially if the records aren’t documents

Whether the physical records can be legally destroyed and how this will be handled

What type of digitisation is appropriate; a digital photocopy/ image or optical character recognition (OCR) which makes the record with machine readable text

During the digitisation process, versions of the digitised record will be created for processing purposes. How will these various versions be managed?

How accuracy and quality controls will be maintained throughout the process

Whether to digitise in-house or outsource, whilst considering the challenges that may be encountered in each scenario

9) Develop and maintain an information asset register

In order to understand your information and how best to manage and protect it, it is vital to first understand what the term ‘information asset’ means. An information asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and utilised effectively. Information assets have defined and manageable value, risk, content and lifecycles.

An Information Asset Register (IAR) is a formal inventory of information assets, which helps organisations better manage the information and records they possess and mitigate the associated risks.

They can be a useful tool for risk analysis and information security planning, for identifying critical systems for disaster recovery and business continuity, to inform digital preservation plans and to identify strategic records and information management priorities.

Organisations developing and implementing an IAR should consider;

How your organisation will conduct an information review to determine what is and isn’t an information asset, the value and lifecycle of each asset, and which regulatory requirements apply

How to group, number and name information whilst taking into consideration business needs

Whether there are opportunities for disposal, savings and/or efficiencies

Creating mitigation strategies for identified risks

Developing an action plan for managing this change with planned contingencies

Defining who will be responsible (custodian) for the information assets and the register itself

How often the IAR should be reviewed to ensure its accuracy and relevance, and who will conduct this review

The better you understand your information, the better equipped you’ll be to protect these assets. Considering the above questions will help you to design and implement a strategic IAR as part of your broader records and information management strategy.

In Summary

Defining records management best practices and implementing an effective RIM strategy is imperative for organisations wishing to remain compliant and avoid the potential penalties of not meeting their record-keeping obligations.

Navigating the complexity of recordkeeping legislation can be an overwhelming challenge. This is why most organisations enlist the expertise of a records management specialist.

Our team of records management experts have been helping organisations navigate this complexity since 2008 and would be happy to assist your organisation or respond to any queries you may have.